contrib.nodejsscan.jwt_not_revoked.jwt_not_revoked
returntocorpAuthor
99
Download Count*
License
No token revoking configured for express-jwt. A leaked token could still be used and unable to be revoked. Consider using function as the isRevoked option.
Run Locally
Run in CI
Defintion
rules:
- id: jwt_not_revoked
patterns:
- pattern-inside: |
$JWT = require('express-jwt');
...
- pattern: $JWT(...)
- pattern-not-inside: $JWT(<... {isRevoked:...} ...>,...)
- pattern-not-inside: |-
$OPTS = <... {isRevoked:...} ...>;
...
$JWT($OPTS,...);
message: No token revoking configured for `express-jwt`. A leaked token could
still be used and unable to be revoked. Consider using function as the
`isRevoked` option.
severity: WARNING
languages:
- javascript
metadata:
cwe: "CWE-522: Insufficiently Protected Credentials"
owasp: A02:2017 - Broken Authentication
category: security
technology:
- node.js
- jwt
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
Examples
jwt_not_revoked.js
var jwt = require('express-jwt');
var blacklist = require('express-jwt-blacklist');
// ruleid: jwt_not_revoked
app.get('/ok-protected', jwt({ secret: process.env.SECRET }), function (req, res) {
if (!req.user.admin) return res.sendStatus(401);
res.sendStatus(200);
});
let configSecret = config.get('secret')
const opts = Object.assign({ issuer: 'http://issuer' }, { secret: configSecret })
// ruleid: jwt_not_revoked
app.get('/ok-protected', jwt(opts), function (req, res) {
if (!req.user.admin) return res.sendStatus(401);
res.sendStatus(200);
});
Short Link: https://sg.run/8yog